Adventures in Securing an Open Source Project: From Repo Security Zero to Hero – Kara Olive & Pedro Nacht, Google
There’s been a sharp increase in known attacks on open source projects in recent years. If you’re new to open source development, you might not be aware of free tools and techniques for protecting your project. As members of the Google Open Source Security Team (GOSST), we created a real project with all the worst security practices we could fit into a single repository and then scored it with the OpenSSF Scorecard tool (which evaluates a project’s use of security best practices and provides steps to remediate any weaknesses). We were able to bring the project’s score down to a 1.2/10 score, when just using GitHub’s default settings would give you a 4.5! We then used Scorecard to guide us through securing the project from end to end, raising its score into the top 1% of the 1M+ projects rated by Scorecard. All the tools we used are freely available to developers, and this talk will focus on those most accessible to beginners. We’ll share lessons we learned from this effort, including: -Tips for getting started securing your own open source projects -Advice on choosing on-ramp improvements that give the best ratio of effort versus payoff -Examples of common actions that make your project susceptible to multiple threat vectors—plus the straightforward ways to mitigate them.
